US20160308856A1 - Two factor authentication using a one-time password - Google Patents

Two factor authentication using a one-time password Download PDF

Info

Publication number
US20160308856A1
US20160308856A1 US15/192,919 US201615192919A US2016308856A1 US 20160308856 A1 US20160308856 A1 US 20160308856A1 US 201615192919 A US201615192919 A US 201615192919A US 2016308856 A1 US2016308856 A1 US 2016308856A1
Authority
US
United States
Prior art keywords
user
time password
secure subsystem
website
password
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Abandoned
Application number
US15/192,919
Inventor
Paul Rockwell
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
PayPal Inc
Original Assignee
PayPal Inc
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by PayPal Inc filed Critical PayPal Inc
Priority to US15/192,919 priority Critical patent/US20160308856A1/en
Assigned to EBAY INC. reassignment EBAY INC. ASSIGNMENT OF ASSIGNORS INTEREST (SEE DOCUMENT FOR DETAILS). Assignors: ROCKWELL, PAUL
Assigned to PAYPAL, INC. reassignment PAYPAL, INC. ASSIGNMENT OF ASSIGNORS INTEREST (SEE DOCUMENT FOR DETAILS). Assignors: EBAY INC.
Publication of US20160308856A1 publication Critical patent/US20160308856A1/en
Abandoned legal-status Critical Current

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/31User authentication
    • G06F21/42User authentication using separate channels for security data
    • G06F21/43User authentication using separate channels for security data wireless channels
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/083Network architectures or network communication protocols for network security for authentication of entities using passwords
    • H04L63/0838Network architectures or network communication protocols for network security for authentication of entities using passwords using one-time-passwords
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/083Network architectures or network communication protocols for network security for authentication of entities using passwords
    • H04L63/0846Network architectures or network communication protocols for network security for authentication of entities using passwords using time-dependent-passwords, e.g. periodically changing passwords
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • H04L63/102Entity profiles
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3226Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using a predetermined code, e.g. password, passphrase or PIN
    • H04L9/3228One-time or temporary data, i.e. information which is sent for every authentication or authorization, e.g. one-time-password, one-time-token or one-time-key
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/06Authentication
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2463/00Additional details relating to network architectures or network communication protocols for network security covered by H04L63/00
    • H04L2463/082Additional details relating to network architectures or network communication protocols for network security covered by H04L63/00 applying multi-factor authentication

Definitions

  • Embodiments of the present invention generally relate to online commerce and social interactions conducted over a communication network such as the Internet and, more particularly, to authentication for secure communications, over the network, between service users and service providers, including secure account access and authorizations.
  • Secure communication over the Internet between parties to a transaction often relies on the user registering on the website and then logging in to the website using the familiar combination of a username and a password.
  • the username-password login is one example of what is often referred to as single factor authentication.
  • the factors of authentication typically include: “something you have” (e.g., mobile phone or hardware token), “something you know” (e.g., personal identification number (PIN) or password), and “something you are” (e.g., biometric information).
  • an entity (the shopper, referred to as “end-user” or “user”) that wants to assert a particular identity may communicate some authentication information to another entity (the merchant website, referred to as “relying party” or “service provider”) that wants to verify the end-user's identity.
  • the merchant website referred to as “relying party” or “service provider”
  • Each service provider may provide their own system for login and authentication so that any particular user may need to register an identifier (e.g., username and password) at every service provider the user wishes to maintain an account or identity with.
  • OpenID is an open standard for authentication that allows users to consolidate their digital identitieshttp://en.wikipedia.org/wiki/OpenID—cite note-eeldon-0#cite note-eeldon-0 and eliminates the need for service providers to provide their own individual or ad hoc systems.
  • OpenID may provide a user with one login for multiple sites. For example, a user may create accounts with one or more of the user's preferred OpenID identity providers, and then use those accounts as the basis for signing on to any website which accepts OpenID authentication.
  • the OpenID standard provides a framework for the necessary communication between the identity provider and the OpenID relying party.
  • OAuth is an open standard for authorization, complementary to, but distinct from OpenID, that allows users to share private information stored on one site with another site without having to compromise identity credentials.
  • OAuth supplies a token that grants access to a specific site for certain user information for a specified period of time. This allows a user to grant a third party site access to their information stored with another service provider, without sharing their access permissions or the full extent of their data.
  • OpenID does not rely on a central authority to authenticate a user's identity. Moreover, neither service providers nor the OpenID standard may mandate a specific approach to authenticating users, allowing for various approaches including username-password, smart cards, or biometrics. OpenID typically, however, uses the familiar username and password authentication, which is prone to a number of disadvantages. For example, a quality password should have many characters which are a mix of upper, lower, punctuation, and special characters so that it is difficult to compromise. However, a good quality password is often difficult and time-consuming to type, is often forgotten (as various password requirements exist on various sites), and users are advised to use different passwords for different accounts (to further reduce the chance their accounts will be compromised).
  • methods and systems for authentication eliminate the common username plus password combination, instead using a novel two-factor authentication that employs a mobile phone number and one-time, limited life password.
  • the user provides the user's mobile phone number to login to a service provider's site, and receives a one-time password (e.g., via a text message)on the mobile device to which the phone number belongs. If the user enters the one-time password within its limited lifespan, the user is then logged into the service provider's site.
  • a system includes: a processor configured to communicate over a network with a mobile device and with a website; and a data storage device including a computer-readable medium having computer readable code for instructing the processor, and when executed by the processor, performs operations including: receiving a phone number from a user via the network in response to a login prompt displayed to the user; transmitting a one-time password to the mobile phone associated with the phone number; and in response to receiving the one-time password from the user via the network, authenticating the user for transactions with the website.
  • a method in another embodiment, includes: receiving a phone number from a user via a network in response to a login prompt displayed to the user; transmitting a one-time password to the phone associated with the phone number; and in response to receiving the one-time password from the user via a network, authenticating the user for transactions with a website.
  • a computer program product comprises a non-transitory computer readable medium having computer readable and executable code for instructing a processor to perform a method that includes: receiving a phone number from a user via a network in response to a login prompt displayed to the user; transmitting a one-time password to a phone associated with the phone number; and in response to receiving the one-time password from the user via the network, authenticating the user for transactions with the website.
  • FIG. 1 is a system diagram illustrating a system for providing authentication services in accordance with an embodiment of the present invention.
  • FIG. 2 is a flow chart illustrating a method for providing authentication services in accordance with an embodiment.
  • FIG. 3 is a flow chart illustrating a method for using authentication services in accordance with an embodiment.
  • FIG. 4 is a flow chart illustrating a method for providing authentication for resetting passwords in accordance with an embodiment.
  • Embodiments of the present invention provide a two-factor authentication that replaces the commonly used username and password authentication with the user's phone number and transmission to the user's phone of a limited life, one-time password, which, for example, could be as simple as a personal identification number (PIN) or more elaborate such as a random string of upper and lower case characters, numbers, and special characters.
  • PIN personal identification number
  • the user goes to an online website (e.g., a merchant or service provider) and logs in by entering the phone number for a mobile device the user has at hand, the user promptly receives a message on the mobile device containing the one-time password, enters the one-time password to the online log in before it expires, and is then logged in to the online website.
  • Limited information (already selected by the user) may be shared with the online website, for the purposes of user preferences, tracking, and order management.
  • Embodiments provide a two-factor authentication that is easier to use, and therefore, more secure than the typical username-password authentication, because, for example, most people will remember their phone number and the one-time password need not be remembered as it is sent to the user in near real time and must be used within a very short lifespan before it expires.
  • embodiments alleviate common difficulties with users having to remember a multitude of arbitrary usernames and corresponding passwords, which are often forgotten.
  • Elimination of the “friction” described above, making embodiments more readily used and more reliable, for example, may further enhance the security of authentication provided by one or more embodiments so as to mitigate or eliminate the problem of “account takeover” experienced by service providers, in which a user's account may be fraudulently used by an unauthorized person who manages to guess or break the username-password security of an account owned by the user.
  • Such services may include, for example, an online payment service operating between consumers and merchants and may be a service provided by a financial service provider (FSP)—such as PayPal, Inc. of San Jose, Calif.—in which a user of the service may have an account with the FSP (referred to as an “FSP account).
  • FSP financial service provider
  • Embodiments may also provide convenient (e.g., one-stop login or use of a favorite login provider for use with multiple merchants and websites) authentication and authorization services such as those provided by OpenID and OAuth.
  • Embodiments may provide an added level of security compared to OpenID and OAuth, however, because the operational models of OpenID and OAuth, and similar standards, may be described as hub-and-spoke, where the OAuth or OpenID account is the hub, and all related accounts are the spokes. If the hub is compromised (for example, via a weak password, phishing, or malware) then the spokes are also compromised. With the new mechanism for authentication provided by one or more embodiments, there is little opportunity for compromise.
  • FIG. 1 illustrates a system 100 for online commerce according to one embodiment.
  • a user 102 may communicate via a computing device 104 (e.g., a computer, cell phone, computing tablet, or other consumer electronic device) with financial service provider (FSP) 120 via communication networks 106 , which may include the Internet as well as phone networks such as Public Switched Telephone Network (PSTN).
  • FSP financial service provider
  • User 102 may also communicate over communication networks 106 using a mobile device 105 , e.g., a mobile phone of any kind, that can receive messages such as Short Message Service (SMS) messages.
  • SMS Short Message Service
  • User 102 may also communicate via network 106 with a website 108 that may be a merchant website that is a seller of retail goods, for example.
  • SMS Short Message Service
  • Merchant website 108 may sell goods online and may communicate with user 102 , for example, by operating a server 110 (e.g., a computer processor) that presents a website for selling goods.
  • the server 110 may respond responding to client devices (e.g., client 111 running on device 104 ) by communicating over network 106 .
  • client devices e.g., client 111 running on device 104
  • computing device 104 and mobile device 105 need not be separate devices, although they can be, and may be the same device such as embodied by a smart phone, for example.
  • Merchant website 108 may also communicate (for example, using server 110 ) with FSP 120 through FSP server 122 over network 106 .
  • merchant website 108 may communicate with FSP 120 in the course of various services offered by FSP 120 to merchant website 108 , such as payment intermediary between customers (e.g., consumer user 102 ) of merchant website 108 and merchant website 108 itself.
  • merchant website 108 may use an application programming interface (API) 112 that allows it to offer sale of goods in which customers are allowed to make payment through FSP 120 , while consumer user 102 may have an account with FSP 120 that allows consumer user 102 to use the FSP 120 for making payments to sellers that allow use of authentication, authorization, and payment services 124 of FSP 120 as a payment intermediary.
  • API application programming interface
  • FSP 120 may provide electronic data storage in the form of database 126 .
  • Database 126 may be used to keep track of user's accounts 128 with FSP 120 , merchant's accounts with FSP 120 , and transactions between customers, merchants, and stores including payments between the various entities, for example.
  • FSP server 122 may execute various application programming interfaces (APIs) that may enable various different types of relationships between FSP 120 and the different parties shown in FIG. 1 .
  • FSP may provide various APIs 125 to its customers such as website 108 (e.g., API 112 ) and website 130 (e.g., API 112 ) that enable those websites to implement embodiments of authentication, authorization, and password reset services.
  • Website 130 may be a website that provides authorization services that enable a user (e.g., user 102 ) to login to other websites and services while only having to maintain one user account 134 at the authorization services website 130 .
  • a user e.g., user 102
  • Website 130 may communicate with FSP 120 and user 102 , for example. over communication network 106 via server 136 .
  • Website 130 may offer authentication and authorization services through use and customization of an API 132 which may be provided by FSP 120 .
  • FSP 120 may provide an API 125 that is customizable to become API 132 .
  • merchant website 108 may offer authentication and authorization services through use and customization of an API 125 that is customizable to become API 112 provided by FSP 120 .
  • FIG. 2 illustrates a method 200 for providing authentication services.
  • a financial service provider may create (or otherwise provide) a series of API's for registration, login, or password reset (not all APIs may be needed by all customers, e.g., merchant websites or service providers).
  • a service provider may provide an API (e.g., one of APIs 125 ) for registration to one of its commercial customers (e.g., merchant website 108 or authentication services website 130 ) that, when customized by the customer, e.g., merchant website 108 , may implement a merchant-customized registration flow (a web flow or exchange of communication between the website and a user, e.g., user 102 , of the website) that at the least gathers and verifies the user's mobile number.
  • the merchant may integrate the API into the merchant's website as an alternative to a traditional merchant -hosted registration flow.
  • a service provider may provide an API for user login that when, customized by the customer, e.g., website 108 or 130 , may implement a login web flow.
  • the customized API e.g., API 112 or 132
  • the consumer user e.g., user 102
  • the merchant website e.g., website 108
  • a service provider may provide an API for user password reset (e.g., for conventional username-password authentication processes) that when, customized by the customer, e.g., website 108 or 130 , may implement a customer -customized web flow.
  • the password reset API could be useful for customers not wishing to use the registration or login API for one-time password authentication and preferring to stay with a more conventional username-password authentication process.
  • the customized API e.g., API 112 or 132
  • a consumer may enter the consumer's existing username (e.g.
  • the password reset API may then send, in response, a one-time password in a text message to the consumer's mobile phone via SMS, and the consumer would enter that one-time password back in the iframe.
  • the password reset API would send a new password via SMS to the consumer, and notify the merchant of the new password.
  • the merchant can present a “change your password” flow of its own choosing at this point.
  • a service provider may deliver an appropriate API (e.g., one of APIs 125 ) to its customer, e.g., merchant website 108 or authentication service provider (login host website) 130 .
  • the API may be customized either before or after delivery.
  • FIG. 3 illustrates a method 300 for using authentication services in accordance with an embodiment.
  • a service provider may receive a phone number from a user 102 via the network 106 in response to a login prompt displayed to the user 102 .
  • the user 102 may go to the merchant website 108 from any device (e.g., computing device 104 or mobile device (phone) 105 ) and clicks “Sign in” (e.g., the displayed login prompt). It doesn't matter what device user 102 signs in from (e.g., computing device 104 or mobile device (phone) 105 ) because the session would eventually time out, and the one-time password that will be provided to and used by user 102 may prevent the same credentials from being used again later for another session.
  • a number of login options may be provided.
  • FSP 120 may host the login.
  • the FSP 120 may provide computer code (e.g., an API 125 ) to the merchant website 108 , which the merchant website 108 may place on their website (similar to experience with OpenID or OAuth) for their customers to log in.
  • the FSP 120 may pass certain information (e.g., from accounts information 128 ) such as email address and user identification so that the merchant website can track information (e.g., preferences, items in cart) about this particular customer, consumer user 102 .
  • the user 102 can choose one of many optional login hosts.
  • Some merchants e.g., merchant website 108
  • Some merchants present customers with multiple options for logging in, based on accounts at companies the customer may already do business with, and which, importantly, they trust. For example, large companies or ones with a well-known web presence that offer their own login accounts.
  • FSP 120 may pass certain information (e.g., email address and user identification) to the merchant website 108 so the merchant can track information (e.g., preferences, items in cart) about this particular customer, consumer user 102 .
  • the merchant could have its own login dialog, but also offer an alternative for the FSP 120 login such as an additional button to click.
  • user 102 may enter the mobile phone number of the user's mobile device (e.g., phone number for mobile device 105 ). For example, the user may enter the user's mobile device phone number in the field that asks for it and click “submit”.
  • the user's mobile device phone number in the field that asks for it and click “submit”.
  • FSP 120 may match the phone number to an FSP account (e.g., using database 126 and accounts information 128 ). On finding a match, FSP 120 may generate a one-time password, set a pre-defined expiration period for the one-time password, and send the one-time password to the phone number (e.g., to the mobile device having that phone number such as mobile device 105 ). The expiration period gives the one-time password a finite lifespan, e.g., a few minutes, after which the one-time password expires, meaning that it is no longer valid and the authentication process will not be continued, regardless of whether or not the one-time password has been correctly entered. Also, for example, on finding a match, if the user's FSP account is suspended or under some other restriction, FSP 120 may provide a dialog to user 102 that explains the next steps for that user.
  • FSP account e.g., using database 126 and accounts information 128 .
  • FSP 120 may generate a one-time password, set
  • user 102 may enter the one-time password (by entering in the proper field in the dialog or web flow provided, for example, and clicking submit).
  • the user 102 In response to receiving the one-time password from the user 102 via the network 106 before the expiration period for the one-time password passes or runs out, the user 102 is now logged in (e.g., authenticated) and may start shopping, for example, on the merchant website 108 .
  • the login module e.g., the login dialog and exchange of information with user 102
  • the FSP 120 e.g., server 122 , database 126 ) needs to look for the correct one-time password to be received and the one-time password does not need to be sent to the merchant website 108 .
  • FSP 120 may provide a dialog that either prompts the user 102 to enter the one-time password again or provides an option like “click to resend one-time password”. Once user 102 enters in the correct one-time password, FSP 120 may pass certain data elements to the merchant website 108 so that it can track the session, information, and preferences of user 102 for the merchant website's product, service, or company.
  • one of the data elements shared with merchant website 108 may be a unique identifier generated by the FSP—e.g., a random string such as “123a4b56c789d”—that represents the user's (e.g., user 102 ) FSP account.
  • the merchant website 108 may be able to associate any number of different things (e.g., display preferences, items in the user's cart, favorite items, wish lists) with the user's FSP-unique identifier.
  • the merchant website 108 may store this associated information as profile information, but the user (e.g., user 102 ) will not need to know anything other than the user's mobile number (and the one-time password just received) in order to log in to the merchant website (for example, the user does not need a merchant website username and password combination). Thus, the user may be relieved of many of the problems and difficulties discussed above and may experience very little “friction” (as defined above) for logging in to the merchant website. The login process may still, however, provide the merchant website with the information it desires to have about the user (e.g., user 102 ) who is logging in using method 300 .
  • FIG. 4 illustrates a method 400 for providing authentication for resetting passwords in accordance with an embodiment.
  • an operator of a customized API for resetting passwords e.g., FSP 120 , merchant website 108 , or login host website 130
  • operator FSP 120 may provide a web flow for helping consumer users (e.g., user 102 ) reset passwords based on mobile phone numbers in their profile (e.g., accounts information 128 ).
  • the consumer 102 may enter the consumer's existing username (e.g. email address is commonly used) and a phone number in a dialog box or separate frame of the webpage.
  • FSP 120 may send, in response to receiving the username and password, a one-time password (having a pre-defined lifespan or expiration period, after which the one-time password is no longer valid for authentication) in a text message, using the phone number (e.g., to the device associated with the phone number), to the consumer user's (user 102 ) mobile device. The consumer may be expected to then enter that one-time password back into the dialog box or separate frame of the webpage.
  • the user may be authenticated, e.g., transactions and operations requiring authentication or authorization may now proceed.
  • the FSP 120 may (by executing the password reset API) may either allow the user to establish a new password on the merchant website or send a new password (for use with the username) in a text message (e.g., via SMS) to the consumer user 102 , and notify the customer (e.g., merchant website 108 ) of the new password.
  • the merchant website 108 may present a “change your password” flow at this point. The “change your password” flow may have been chosen, designed, or customized by the merchant website to suit its wishes.
  • embodiments of the invention may comprise a personal computing device, such as a personal computer, laptop, PDA, cellular phone or other personal computing or communication devices.
  • the payment provider system may comprise a network computing device, such as a server or a plurality of servers, computers, or processors, combined to define a computer system or network to provide the payment services provided by a payment provider system.
  • a computer system may include a bus or other communication mechanism for communicating information, which interconnects subsystems and components, such as a processing component (e.g., processor, micro-controller, digital signal processor (DSP), etc.), a system memory component (e.g., RAM), a static storage component (e.g., ROM), a disk drive component (e.g., magnetic or optical), a network interface component (e.g., modem or Ethernet card), a display component (e.g., CRT or LCD), an input component (e.g., keyboard or keypad), and/or cursor control component (e.g., mouse or trackball).
  • a disk drive component may comprise a database having one or more disk drive components.
  • the computer system may perform specific operations by processor and executing one or more sequences of one or more instructions contained in a system memory component. Such instructions may be read into the system memory component from another computer readable medium, such as static storage component or disk drive component. In other embodiments, hard-wired circuitry may be used in place of or in combination with software instructions to implement the invention.
  • Non-volatile media includes optical or magnetic disks, such as disk drive component
  • volatile media includes dynamic memory, such as system memory component
  • transmission media includes coaxial cables, copper wire, and fiber optics, including wires that comprise bus.
  • transmission media may take the form of acoustic or light waves, such as those generated during radio wave and infrared data communications.
  • Computer readable and executable media include, for example, floppy disk, flexible disk, hard disk, magnetic tape, any other magnetic medium, CD-ROM, any other optical medium, punch cards, paper tape, any other physical medium with patterns of holes, RAM, ROM, E2PROM, FLASH-EPROM, any other memory chip or cartridge, carrier wave, or any other medium from which a computer is adapted to read.
  • execution of instruction sequences for practicing the invention may be performed by a computer system.
  • a plurality of computer systems coupled by a communication link e.g., LAN, WLAN, PTSN, or various other wired or wireless networks
  • a communication link e.g., LAN, WLAN, PTSN, or various other wired or wireless networks
  • Modules described herein can be embodied in one or more computer readable media or be in communication with one or more processors to execute or process the steps described herein.
  • a computer system may transmit and receive messages, data, information and instructions, including one or more programs (i.e., application code) through a communication link and a communication interface.
  • Received program code may be executed by a processor as received and/or stored in a disk drive component or some other non-volatile storage component for execution.
  • various embodiments provided by the present disclosure may be implemented using hardware, software, or combinations of hardware and software.
  • the various hardware components and/or software components set forth herein may be combined into composite components comprising software, hardware, and/or both without departing from the spirit of the present disclosure.
  • the various hardware components and/or software components set forth herein may be separated into sub-components comprising software, hardware, or both without departing from the scope of the present disclosure.
  • software components may be implemented as hardware components and vice-versa—for example, a virtual Secure Element (vSE) implementation or a logical hardware implementation.
  • vSE virtual Secure Element
  • Software in accordance with the present disclosure, such as program code and/or data, may be stored on one or more computer readable and executable mediums. It is also contemplated that software identified herein may be implemented using one or more general purpose or specific purpose computers and/or computer systems, networked and/or otherwise. Where applicable, the ordering of various steps described herein may be changed, combined into composite steps, and/or separated into sub-steps to provide features described herein.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • Computing Systems (AREA)
  • Theoretical Computer Science (AREA)
  • Software Systems (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Telephonic Communication Services (AREA)

Abstract

Methods and systems for online authentication eliminate the common username plus password combination, using instead a novel two-factor authentication that employs a mobile phone number and a one-time, limited life password. The user provides the mobile phone number to a login dialog and receives, from a service provider, the one-time password, e.g., via a text message, at the mobile device to which the phone number belongs. If the user enters the one-time password before it expires, the user is authenticated and logged in. A method for authentication or authorization to a website includes: receiving a phone number from a user via a communication network in response to a login prompt displayed to the user; transmitting a one-time password to the phone number using text messaging; and in response to receiving the one-time password back from the user, authenticating the user for transactions with the website.

Description

    CROSS REFERENCE TO RELATED APPLICATIONS
  • This application is a continuation of co-pending U.S. application Ser. No. 13/447,092, filed Apr. 13, 2012, to which it claims priority and which is incorporated by reference in its entirety.
    • BACKGROUND
  • 1. Technical Field
  • Embodiments of the present invention generally relate to online commerce and social interactions conducted over a communication network such as the Internet and, more particularly, to authentication for secure communications, over the network, between service users and service providers, including secure account access and authorizations.
  • 2. Related Art
  • Secure communication over the Internet between parties to a transaction (e.g., an online shopper and a merchant website, or a user of a social networking website and the social networking website) often relies on the user registering on the website and then logging in to the website using the familiar combination of a username and a password. The username-password login is one example of what is often referred to as single factor authentication. The factors of authentication typically include: “something you have” (e.g., mobile phone or hardware token), “something you know” (e.g., personal identification number (PIN) or password), and “something you are” (e.g., biometric information). In the online shopper example, an entity (the shopper, referred to as “end-user” or “user”) that wants to assert a particular identity may communicate some authentication information to another entity (the merchant website, referred to as “relying party” or “service provider”) that wants to verify the end-user's identity. Each service provider may provide their own system for login and authentication so that any particular user may need to register an identifier (e.g., username and password) at every service provider the user wishes to maintain an account or identity with.
  • OpenID is an open standard for authentication that allows users to consolidate their digital identitieshttp://en.wikipedia.org/wiki/OpenID—cite note-eeldon-0#cite note-eeldon-0 and eliminates the need for service providers to provide their own individual or ad hoc systems. OpenID may provide a user with one login for multiple sites. For example, a user may create accounts with one or more of the user's preferred OpenID identity providers, and then use those accounts as the basis for signing on to any website which accepts OpenID authentication. The OpenID standard provides a framework for the necessary communication between the identity provider and the OpenID relying party. An extension to OpenID—OpenID Attribute Exchange—facilitates the transfer from the OpenID identity provider to the relying party of certain user information, such as name and address, that may be requested by a relying party.
  • Similarly, OAuth is an open standard for authorization, complementary to, but distinct from OpenID, that allows users to share private information stored on one site with another site without having to compromise identity credentials. Typically, OAuth supplies a token that grants access to a specific site for certain user information for a specified period of time. This allows a user to grant a third party site access to their information stored with another service provider, without sharing their access permissions or the full extent of their data.
  • The OpenID protocol does not rely on a central authority to authenticate a user's identity. Moreover, neither service providers nor the OpenID standard may mandate a specific approach to authenticating users, allowing for various approaches including username-password, smart cards, or biometrics. OpenID typically, however, uses the familiar username and password authentication, which is prone to a number of disadvantages. For example, a quality password should have many characters which are a mix of upper, lower, punctuation, and special characters so that it is difficult to compromise. However, a good quality password is often difficult and time-consuming to type, is often forgotten (as various password requirements exist on various sites), and users are advised to use different passwords for different accounts (to further reduce the chance their accounts will be compromised). This is especially true on a mobile device using touch keypads that have various ‘levels’ of keypads for characters beyond simple alpha-numeric. These difficulties or “friction” perceived on the part of the user, however minor, may lead to certain compromises. For example, many users may be apt to use less than optimal passwords, and use them repeatedly, which can be vulnerable to many well-known types of attack, such as a dictionary attack (a script that systematically tries out commonly used passwords) or trying out passwords which relate to the user (e.g. name of child, spouse, pet, or important dates).
    • SUMMARY
  • According to one or more embodiments of the present invention, methods and systems for authentication eliminate the common username plus password combination, instead using a novel two-factor authentication that employs a mobile phone number and one-time, limited life password. The user provides the user's mobile phone number to login to a service provider's site, and receives a one-time password (e.g., via a text message)on the mobile device to which the phone number belongs. If the user enters the one-time password within its limited lifespan, the user is then logged into the service provider's site.
  • In one or more embodiments, a system includes: a processor configured to communicate over a network with a mobile device and with a website; and a data storage device including a computer-readable medium having computer readable code for instructing the processor, and when executed by the processor, performs operations including: receiving a phone number from a user via the network in response to a login prompt displayed to the user; transmitting a one-time password to the mobile phone associated with the phone number; and in response to receiving the one-time password from the user via the network, authenticating the user for transactions with the website.
  • In another embodiment, a method includes: receiving a phone number from a user via a network in response to a login prompt displayed to the user; transmitting a one-time password to the phone associated with the phone number; and in response to receiving the one-time password from the user via a network, authenticating the user for transactions with a website.
  • In a further embodiment, a computer program product comprises a non-transitory computer readable medium having computer readable and executable code for instructing a processor to perform a method that includes: receiving a phone number from a user via a network in response to a login prompt displayed to the user; transmitting a one-time password to a phone associated with the phone number; and in response to receiving the one-time password from the user via the network, authenticating the user for transactions with the website.
    • BRIEF DESCRIPTION OF THE DRAWINGS
  • FIG. 1 is a system diagram illustrating a system for providing authentication services in accordance with an embodiment of the present invention.
  • FIG. 2 is a flow chart illustrating a method for providing authentication services in accordance with an embodiment.
  • FIG. 3 is a flow chart illustrating a method for using authentication services in accordance with an embodiment.
  • FIG. 4 is a flow chart illustrating a method for providing authentication for resetting passwords in accordance with an embodiment.
    •  DETAILED DESCRIPTION
  • Embodiments of the present invention provide a two-factor authentication that replaces the commonly used username and password authentication with the user's phone number and transmission to the user's phone of a limited life, one-time password, which, for example, could be as simple as a personal identification number (PIN) or more elaborate such as a random string of upper and lower case characters, numbers, and special characters. Briefly, from the user's perspective, the user goes to an online website (e.g., a merchant or service provider) and logs in by entering the phone number for a mobile device the user has at hand, the user promptly receives a message on the mobile device containing the one-time password, enters the one-time password to the online log in before it expires, and is then logged in to the online website. Limited information (already selected by the user) may be shared with the online website, for the purposes of user preferences, tracking, and order management.
  • Embodiments provide a two-factor authentication that is easier to use, and therefore, more secure than the typical username-password authentication, because, for example, most people will remember their phone number and the one-time password need not be remembered as it is sent to the user in near real time and must be used within a very short lifespan before it expires. Thus, embodiments alleviate common difficulties with users having to remember a multitude of arbitrary usernames and corresponding passwords, which are often forgotten. Elimination of the “friction” described above, making embodiments more readily used and more reliable, for example, may further enhance the security of authentication provided by one or more embodiments so as to mitigate or eliminate the problem of “account takeover” experienced by service providers, in which a user's account may be fraudulently used by an unauthorized person who manages to guess or break the username-password security of an account owned by the user. Such services may include, for example, an online payment service operating between consumers and merchants and may be a service provided by a financial service provider (FSP)—such as PayPal, Inc. of San Jose, Calif.—in which a user of the service may have an account with the FSP (referred to as an “FSP account).
  • Embodiments may also provide convenient (e.g., one-stop login or use of a favorite login provider for use with multiple merchants and websites) authentication and authorization services such as those provided by OpenID and OAuth. Embodiments may provide an added level of security compared to OpenID and OAuth, however, because the operational models of OpenID and OAuth, and similar standards, may be described as hub-and-spoke, where the OAuth or OpenID account is the hub, and all related accounts are the spokes. If the hub is compromised (for example, via a weak password, phishing, or malware) then the spokes are also compromised. With the new mechanism for authentication provided by one or more embodiments, there is little opportunity for compromise.
  • FIG. 1 illustrates a system 100 for online commerce according to one embodiment. A user 102 (generally a consumer or consumer user of FSP services) may communicate via a computing device 104 (e.g., a computer, cell phone, computing tablet, or other consumer electronic device) with financial service provider (FSP) 120 via communication networks 106, which may include the Internet as well as phone networks such as Public Switched Telephone Network (PSTN). User 102 may also communicate over communication networks 106 using a mobile device 105, e.g., a mobile phone of any kind, that can receive messages such as Short Message Service (SMS) messages. User 102 may also communicate via network 106 with a website 108 that may be a merchant website that is a seller of retail goods, for example. Merchant website 108 may sell goods online and may communicate with user 102, for example, by operating a server 110 (e.g., a computer processor) that presents a website for selling goods. The server 110 may respond responding to client devices (e.g., client 111 running on device 104) by communicating over network 106. In general, for purposes of embodiments described herein, computing device 104 and mobile device 105 need not be separate devices, although they can be, and may be the same device such as embodied by a smart phone, for example.
  • Merchant website 108 may also communicate (for example, using server 110) with FSP 120 through FSP server 122 over network 106. For example, merchant website 108 may communicate with FSP 120 in the course of various services offered by FSP 120 to merchant website 108, such as payment intermediary between customers (e.g., consumer user 102) of merchant website 108 and merchant website 108 itself. For example, merchant website 108 may use an application programming interface (API) 112 that allows it to offer sale of goods in which customers are allowed to make payment through FSP 120, while consumer user 102 may have an account with FSP 120 that allows consumer user 102 to use the FSP 120 for making payments to sellers that allow use of authentication, authorization, and payment services 124 of FSP 120 as a payment intermediary. Also as shown in FIG. 1, FSP 120 may provide electronic data storage in the form of database 126. Database 126 may be used to keep track of user's accounts 128 with FSP 120, merchant's accounts with FSP 120, and transactions between customers, merchants, and stores including payments between the various entities, for example. FSP server 122 may execute various application programming interfaces (APIs) that may enable various different types of relationships between FSP 120 and the different parties shown in FIG. 1. In addition, FSP may provide various APIs 125 to its customers such as website 108 (e.g., API 112) and website 130 (e.g., API 112) that enable those websites to implement embodiments of authentication, authorization, and password reset services.
  • Website 130 may be a website that provides authorization services that enable a user (e.g., user 102) to login to other websites and services while only having to maintain one user account 134 at the authorization services website 130. For example, such an arrangement may be provided according to the OpenID and OAuth standards. Website 130 may communicate with FSP 120 and user 102, for example. over communication network 106 via server 136. Website 130 may offer authentication and authorization services through use and customization of an API 132 which may be provided by FSP 120. For example, FSP 120 may provide an API 125 that is customizable to become API 132. Similarly, merchant website 108 may offer authentication and authorization services through use and customization of an API 125 that is customizable to become API 112 provided by FSP 120.
  • FIG. 2 illustrates a method 200 for providing authentication services. In one embodiment a financial service provider may create (or otherwise provide) a series of API's for registration, login, or password reset (not all APIs may be needed by all customers, e.g., merchant websites or service providers).
  • At step 201, a service provider (e.g., FSP 120) may provide an API (e.g., one of APIs 125) for registration to one of its commercial customers (e.g., merchant website 108 or authentication services website 130) that, when customized by the customer, e.g., merchant website 108, may implement a merchant-customized registration flow (a web flow or exchange of communication between the website and a user, e.g., user 102, of the website) that at the least gathers and verifies the user's mobile number. The merchant may integrate the API into the merchant's website as an alternative to a traditional merchant -hosted registration flow.
  • At step 202, a service provider may provide an API for user login that when, customized by the customer, e.g., website 108 or 130, may implement a login web flow. For example, the customized API (e.g., API 112 or 132) may implement a login dialog box—which may displayed from the merchant website 108, a website of FSP 120 or an authentication website 130 upon redirect, for example—that requires a mobile phone number, sends a one-time password via SMS to that mobile phone (by using the phone number sends the one-time password to the phone having that phone number), then prompts the consumer to enter in the one-time password. Once completed, the consumer user (e.g., user 102) may be authenticated and directed to the merchant website, e.g., website 108.
  • At step 203, a service provider may provide an API for user password reset (e.g., for conventional username-password authentication processes) that when, customized by the customer, e.g., website 108 or 130, may implement a customer -customized web flow. The password reset API could be useful for customers not wishing to use the registration or login API for one-time password authentication and preferring to stay with a more conventional username-password authentication process. For example, the customized API (e.g., API 112 or 132) may implement a web flow for helping consumer users (e.g., user 102) reset passwords based on mobile phone numbers in their profile. In use, a consumer may enter the consumer's existing username (e.g. email address is commonly used) and a phone number in a dialog box or separate frame of the webpage (e.g., an iframe could be used). The password reset API may then send, in response, a one-time password in a text message to the consumer's mobile phone via SMS, and the consumer would enter that one-time password back in the iframe. Once the consumer is authenticated, the password reset API would send a new password via SMS to the consumer, and notify the merchant of the new password. The merchant can present a “change your password” flow of its own choosing at this point.
  • At step 204, a service provider (e.g., FSP 120) may deliver an appropriate API (e.g., one of APIs 125) to its customer, e.g., merchant website 108 or authentication service provider (login host website) 130. The API may be customized either before or after delivery.
  • FIG. 3 illustrates a method 300 for using authentication services in accordance with an embodiment.
  • At step 301, a service provider (e.g., FSP 120 or login host website 130) may receive a phone number from a user 102 via the network 106 in response to a login prompt displayed to the user 102. For example, the user 102 may go to the merchant website 108 from any device (e.g., computing device 104 or mobile device (phone) 105) and clicks “Sign in” (e.g., the displayed login prompt). It doesn't matter what device user 102 signs in from (e.g., computing device 104 or mobile device (phone) 105) because the session would eventually time out, and the one-time password that will be provided to and used by user 102 may prevent the same credentials from being used again later for another session.
  • In an example of user 102 shopping on a merchant website 108, a number of login options may be provided.
  • In a first login option example, FSP 120 may host the login. The FSP 120 may provide computer code (e.g., an API 125) to the merchant website 108, which the merchant website 108 may place on their website (similar to experience with OpenID or OAuth) for their customers to log in. Once the customer completes the login session, the FSP 120 may pass certain information (e.g., from accounts information 128) such as email address and user identification so that the merchant website can track information (e.g., preferences, items in cart) about this particular customer, consumer user 102.
  • In a second login option example, the user 102 can choose one of many optional login hosts. Some merchants (e.g., merchant website 108) present customers with multiple options for logging in, based on accounts at companies the customer may already do business with, and which, importantly, they trust. For example, large companies or ones with a well-known web presence that offer their own login accounts. Similar to the first login option example, once the customer completes the login session via the chosen login host (e.g., using method 300 at login host website 130), FSP 120 may pass certain information (e.g., email address and user identification) to the merchant website 108 so the merchant can track information (e.g., preferences, items in cart) about this particular customer, consumer user 102.
  • In a third login option example, the merchant could have its own login dialog, but also offer an alternative for the FSP 120 login such as an additional button to click.
  • Regardless of login option chosen, user 102 may enter the mobile phone number of the user's mobile device (e.g., phone number for mobile device 105). For example, the user may enter the user's mobile device phone number in the field that asks for it and click “submit”.
  • At step 302, in the background and in response to receiving the phone number, FSP 120 may match the phone number to an FSP account (e.g., using database 126 and accounts information 128). On finding a match, FSP 120 may generate a one-time password, set a pre-defined expiration period for the one-time password, and send the one-time password to the phone number (e.g., to the mobile device having that phone number such as mobile device 105). The expiration period gives the one-time password a finite lifespan, e.g., a few minutes, after which the one-time password expires, meaning that it is no longer valid and the authentication process will not be continued, regardless of whether or not the one-time password has been correctly entered. Also, for example, on finding a match, if the user's FSP account is suspended or under some other restriction, FSP 120 may provide a dialog to user 102 that explains the next steps for that user.
  • At step 303, user 102 may enter the one-time password (by entering in the proper field in the dialog or web flow provided, for example, and clicking submit). In response to receiving the one-time password from the user 102 via the network 106 before the expiration period for the one-time password passes or runs out, the user 102 is now logged in (e.g., authenticated) and may start shopping, for example, on the merchant website 108. Because the login module (e.g., the login dialog and exchange of information with user 102) is hosted by the FSP 120, only FSP 120 (e.g., server 122, database 126) needs to look for the correct one-time password to be received and the one-time password does not need to be sent to the merchant website 108. If the user 102 fails to enter the correct one-time password, FSP 120 may provide a dialog that either prompts the user 102 to enter the one-time password again or provides an option like “click to resend one-time password”. Once user 102 enters in the correct one-time password, FSP 120 may pass certain data elements to the merchant website 108 so that it can track the session, information, and preferences of user 102 for the merchant website's product, service, or company.
  • For example, by logging in with FSP 120, one of the data elements shared with merchant website 108 may be a unique identifier generated by the FSP—e.g., a random string such as “123a4b56c789d”—that represents the user's (e.g., user 102) FSP account. With the FSP-unique identifier, the merchant website 108 may be able to associate any number of different things (e.g., display preferences, items in the user's cart, favorite items, wish lists) with the user's FSP-unique identifier. The merchant website 108 may store this associated information as profile information, but the user (e.g., user 102) will not need to know anything other than the user's mobile number (and the one-time password just received) in order to log in to the merchant website (for example, the user does not need a merchant website username and password combination). Thus, the user may be relieved of many of the problems and difficulties discussed above and may experience very little “friction” (as defined above) for logging in to the merchant website. The login process may still, however, provide the merchant website with the information it desires to have about the user (e.g., user 102) who is logging in using method 300.
  • FIG. 4 illustrates a method 400 for providing authentication for resetting passwords in accordance with an embodiment. At step 401, an operator of a customized API for resetting passwords (e.g., FSP 120, merchant website 108, or login host website 130) may receive an existing username or email address and phone number from, for example, a merchant on behalf of a consumer user 102 via the network 106 in response to a password reset prompt displayed to the user 102. For example, operator FSP 120 may provide a web flow for helping consumer users (e.g., user 102) reset passwords based on mobile phone numbers in their profile (e.g., accounts information 128). The consumer 102 may enter the consumer's existing username (e.g. email address is commonly used) and a phone number in a dialog box or separate frame of the webpage.
  • At step 402, continuing with the same example, FSP 120 may send, in response to receiving the username and password, a one-time password (having a pre-defined lifespan or expiration period, after which the one-time password is no longer valid for authentication) in a text message, using the phone number (e.g., to the device associated with the phone number), to the consumer user's (user 102) mobile device. The consumer may be expected to then enter that one-time password back into the dialog box or separate frame of the webpage. At step 403, in response to receiving the one-time password back from the user 102 via the network 106, the user may be authenticated, e.g., transactions and operations requiring authentication or authorization may now proceed.
  • At step 404, once the consumer user 102 is authenticated, the FSP 120 may (by executing the password reset API) may either allow the user to establish a new password on the merchant website or send a new password (for use with the username) in a text message (e.g., via SMS) to the consumer user 102, and notify the customer (e.g., merchant website 108) of the new password. The merchant website 108 may present a “change your password” flow at this point. The “change your password” flow may have been chosen, designed, or customized by the merchant website to suit its wishes.
  • In implementation of the various embodiments, embodiments of the invention may comprise a personal computing device, such as a personal computer, laptop, PDA, cellular phone or other personal computing or communication devices. The payment provider system may comprise a network computing device, such as a server or a plurality of servers, computers, or processors, combined to define a computer system or network to provide the payment services provided by a payment provider system.
  • In this regard, a computer system may include a bus or other communication mechanism for communicating information, which interconnects subsystems and components, such as a processing component (e.g., processor, micro-controller, digital signal processor (DSP), etc.), a system memory component (e.g., RAM), a static storage component (e.g., ROM), a disk drive component (e.g., magnetic or optical), a network interface component (e.g., modem or Ethernet card), a display component (e.g., CRT or LCD), an input component (e.g., keyboard or keypad), and/or cursor control component (e.g., mouse or trackball). In one embodiment, a disk drive component may comprise a database having one or more disk drive components.
  • The computer system may perform specific operations by processor and executing one or more sequences of one or more instructions contained in a system memory component. Such instructions may be read into the system memory component from another computer readable medium, such as static storage component or disk drive component. In other embodiments, hard-wired circuitry may be used in place of or in combination with software instructions to implement the invention.
  • Logic may be encoded in a computer readable and executable medium, which may refer to any medium that participates in providing instructions to the processor for execution. Such a medium may take many forms, including but not limited to, non-volatile media, volatile media, and transmission media. In one embodiment, the computer readable medium is non-transitory. In various implementations, non-volatile media includes optical or magnetic disks, such as disk drive component, volatile media includes dynamic memory, such as system memory component, and transmission media includes coaxial cables, copper wire, and fiber optics, including wires that comprise bus. In one example, transmission media may take the form of acoustic or light waves, such as those generated during radio wave and infrared data communications.
  • Some common forms of computer readable and executable media include, for example, floppy disk, flexible disk, hard disk, magnetic tape, any other magnetic medium, CD-ROM, any other optical medium, punch cards, paper tape, any other physical medium with patterns of holes, RAM, ROM, E2PROM, FLASH-EPROM, any other memory chip or cartridge, carrier wave, or any other medium from which a computer is adapted to read.
  • In various embodiments, execution of instruction sequences for practicing the invention may be performed by a computer system. In various other embodiments, a plurality of computer systems coupled by a communication link (e.g., LAN, WLAN, PTSN, or various other wired or wireless networks) may perform instruction sequences to practice the invention in coordination with one another.
  • Modules described herein can be embodied in one or more computer readable media or be in communication with one or more processors to execute or process the steps described herein.
  • A computer system may transmit and receive messages, data, information and instructions, including one or more programs (i.e., application code) through a communication link and a communication interface. Received program code may be executed by a processor as received and/or stored in a disk drive component or some other non-volatile storage component for execution.
  • Where applicable, various embodiments provided by the present disclosure may be implemented using hardware, software, or combinations of hardware and software. Also, where applicable, the various hardware components and/or software components set forth herein may be combined into composite components comprising software, hardware, and/or both without departing from the spirit of the present disclosure. Where applicable, the various hardware components and/or software components set forth herein may be separated into sub-components comprising software, hardware, or both without departing from the scope of the present disclosure. In addition, where applicable, it is contemplated that software components may be implemented as hardware components and vice-versa—for example, a virtual Secure Element (vSE) implementation or a logical hardware implementation.
  • Software, in accordance with the present disclosure, such as program code and/or data, may be stored on one or more computer readable and executable mediums. It is also contemplated that software identified herein may be implemented using one or more general purpose or specific purpose computers and/or computer systems, networked and/or otherwise. Where applicable, the ordering of various steps described herein may be changed, combined into composite steps, and/or separated into sub-steps to provide features described herein.
  • The foregoing disclosure is not intended to limit the present invention to the precise forms or particular fields of use disclosed. It is contemplated that various alternate embodiments and/or modifications to the present invention, whether explicitly described or implied herein, are possible in light of the disclosure. Having thus described various example embodiments of the disclosure, persons of ordinary skill in the art will recognize that changes may be made in form and detail without departing from the scope of the invention. Thus, the invention is limited only by the claims.

Claims (20)

1. A method comprising:
receiving, by an authentication system from a user through a network via a first secure subsystem, an identifier that is associated with an account;
transmitting, by the authentication system to a user device using the identifier, a one-time password;
receiving, by the authentication system from the user through the network via the first secure subsystem, a user input;
determining, by the authentication system, that the user input includes the one-time password that was transmitted to the user device;
authenticating, by the authentication system in response to determining that the user input includes the one-time password that was transmitted to the user device, the user with the first secure subsystem and at least one other-website second secure subsystem without further use of the one-time password or user identifier.
2. The method of claim 1, wherein authenticating the user with the first secure subsystem further comprises:
generating, by the authentication system, unique identifier that represents the account; and
transmitting, by the authentication system to the first secure subsystem, profile information for the account that includes the unique identifier generated by the authentication system.
3. The method of claim 2, wherein the user is authenticated with the at least one second secure subsystem using the profile information.
4. The method of claim 1, wherein the user is authenticated with the first secure subsystem and at least one second secure subsystem in response only to receiving the user input that includes the one-time password.
5. The method of claim 1, wherein the one-time password is transmitted by the authentication system to the user device via a text message.
6. The method of claim 1, wherein the user device is distinct from the first secure subsystem.
7. The method of claim 1, wherein the first secure subsystem includes a website.
8. An authentication system comprising:
a non-transitory memory; and
one or more hardware processors that are coupled to the non-transitory memory and configured to execute instructions to cause the authentication system to perform operations comprising:
receiving, from a user through a network via a first secure subsystem, an identifier that is associated with an account;
transmitting, to a user device using the identifier, a one-time password;
receiving, from the user through the network via the first secure subsystem, a user input;
determining that the user input includes the one-time password that was transmitted to the user device;
authenticating, in response to determining that the user input includes the one-time password that was transmitted to the user device, the user with the first secure subsystem and at least one second secure subsystem without further use of the one-time password or user identifier.
9. The system of claim 8, wherein authenticating the user with the first secure subsystem further comprises:
generating a unique identifier that represents the account; and
transmitting, to the first secure subsystem, profile information for the account that includes a unique identifier that represents the account.
10. The system of claim 9, wherein the user is authenticated with the at least one second secure subsystem using the profile information.
11. The system of claim 8, wherein the user is authenticated with the first secure subsystem and at least one second secure subsystem in response only to receiving the user input that includes the one-time password.
12. The system of claim 8, wherein the one-time password is transmitted to the user device via a text message.
13. The system of claim 8, wherein the user device is distinct from the first secure subsystem.
14. The system of claim 8, wherein the first secure subsystem includes a website.
15. A non-transitory machine-readable medium having stored thereon machine-readable instructions executable to cause a machine to perform operations comprising:
receiving, from a user through a network via a first secure subsystem, an identifier that is associated with an account;
transmitting, to a user device using the identifier, a one-time password;
receiving, from the user through the network via the first secure subsystem, a user input;
determining that the user input includes the one-time password that was transmitted to the user device; and
authenticating, in response to determining that the user input includes the one-time password that was transmitted to the user device, the user with the first secure subsystem and at least one second secure subsystem without further use of the one-time password or user identifier.
16. The non-transitory machine-readable medium of claim 15, wherein authenticating the user with the first secure subsystem further comprises:
generating a unique identifier that represents the account; and
transmitting, to the first secure subsystem, profile information for the account that includes a unique identifier that represents the account.
17. The non-transitory machine-readable medium of claim 16, wherein the user is authenticated with the at least one second secure subsystem using the profile information.
18. The non-transitory machine-readable medium of claim 15, wherein the user is authenticated with the first secure subsystem and at least one second secure subsystem in response only to receiving the user input that includes the one-time password.
19. The non-transitory machine-readable medium of claim 15, wherein the one-time password is transmitted to the user device via a text message.
20. The non-transitory machine-readable medium of claim 15, wherein the user device is distinct from the first secure subsystem.
US15/192,919 2012-04-13 2016-06-24 Two factor authentication using a one-time password Abandoned US20160308856A1 (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
US15/192,919 US20160308856A1 (en) 2012-04-13 2016-06-24 Two factor authentication using a one-time password

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
US13/447,092 US9378356B2 (en) 2012-04-13 2012-04-13 Two factor authentication using a one-time password
US15/192,919 US20160308856A1 (en) 2012-04-13 2016-06-24 Two factor authentication using a one-time password

Related Parent Applications (1)

Application Number Title Priority Date Filing Date
US13/447,092 Continuation US9378356B2 (en) 2012-04-13 2012-04-13 Two factor authentication using a one-time password

Publications (1)

Publication Number Publication Date
US20160308856A1 true US20160308856A1 (en) 2016-10-20

Family

ID=49326323

Family Applications (2)

Application Number Title Priority Date Filing Date
US13/447,092 Active US9378356B2 (en) 2012-04-13 2012-04-13 Two factor authentication using a one-time password
US15/192,919 Abandoned US20160308856A1 (en) 2012-04-13 2016-06-24 Two factor authentication using a one-time password

Family Applications Before (1)

Application Number Title Priority Date Filing Date
US13/447,092 Active US9378356B2 (en) 2012-04-13 2012-04-13 Two factor authentication using a one-time password

Country Status (1)

Country Link
US (2) US9378356B2 (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108933789A (en) * 2018-07-05 2018-12-04 赵朝胜 A kind of method and third-party application server preventing personal information leakage
US20190386984A1 (en) * 2018-06-14 2019-12-19 Paypal, Inc. Two-factor authentication through ultrasonic audio transmissions

Families Citing this family (45)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US9129105B2 (en) 2011-09-29 2015-09-08 Oracle International Corporation Privileged account manager, managed account perspectives
WO2013173986A1 (en) * 2012-05-23 2013-11-28 Axalto Smart Cards Technology Co., Ltd. A method for protecting data on a mass storage device and a device for the same
CN103685384A (en) * 2012-09-12 2014-03-26 中兴通讯股份有限公司 User authentication method and device for preventing malicious harassment
US10069838B2 (en) * 2012-12-18 2018-09-04 Adobe Systems Incorporated Controlling consumption of hierarchical repository data
US20140208405A1 (en) * 2013-01-23 2014-07-24 Tal Hashai Simplified and Safe User Authentication
WO2014190542A1 (en) * 2013-05-31 2014-12-04 华为技术有限公司 Transfer information processing method and device
US9218473B2 (en) * 2013-07-18 2015-12-22 Suprema Inc. Creation and authentication of biometric information
US9288202B1 (en) * 2013-09-03 2016-03-15 Sprint Communications Company L.P. Proxy password reset
EP2849448A1 (en) * 2013-09-13 2015-03-18 Nagravision S.A. Method for controlling access to broadcast content
US9667610B2 (en) 2013-09-19 2017-05-30 Oracle International Corporation Privileged account plug-in framework—network—connected objects
US9471684B2 (en) * 2013-12-18 2016-10-18 Verizon Patent And Licensing Inc. Provision of embedded code for content provider web sites and applications
US9602545B2 (en) 2014-01-13 2017-03-21 Oracle International Corporation Access policy management using identified roles
US9332008B2 (en) 2014-03-28 2016-05-03 Netiq Corporation Time-based one time password (TOTP) for network authentication
CN104410498B (en) * 2014-12-03 2018-04-03 上海众人网络安全技术有限公司 A kind of dynamic password authentication method and its system
GB2533095A (en) 2014-12-08 2016-06-15 Cryptomathic Ltd System and method
US10997654B1 (en) 2015-01-15 2021-05-04 Wells Fargo Bank, N.A. Identity verification services through external entities via application programming interface
US10937025B1 (en) 2015-01-15 2021-03-02 Wells Fargo Bank, N.A. Payment services via application programming interface
US10990974B1 (en) * 2015-01-15 2021-04-27 Wells Fargo Bank, N.A. Identity verification services and user information provision via application programming interface
US10621658B1 (en) 2015-01-15 2020-04-14 Wells Fargo Bank, N.A. Identity verification services with identity score through external entities via application programming interface
KR101652625B1 (en) * 2015-02-11 2016-08-30 주식회사 이베이코리아 Security authentification system for membership login of online website and method thereof
US20160380780A1 (en) * 2015-06-25 2016-12-29 Collaboration Solutions, Inc. Systems and Methods for Simultaneously Sharing Media Over a Network
WO2017003379A1 (en) * 2015-06-30 2017-01-05 Treebox Solutions Pte Ltd A method performed by at least one server configured to authenticate a user for a web service login
KR102424055B1 (en) 2015-12-08 2022-07-25 한국전자통신연구원 Apparatus and Method for Providing API Authentication using Two API Tokens
US10666642B2 (en) * 2016-02-26 2020-05-26 Ca, Inc. System and method for service assisted mobile pairing of password-less computer login
JP6122984B1 (en) * 2016-03-02 2017-04-26 株式会社リクルートホールディングス Authentication processing apparatus and authentication processing method
JP6072954B1 (en) * 2016-03-02 2017-02-01 株式会社リクルートホールディングス Authentication processing apparatus and authentication processing method
US10333946B1 (en) * 2016-06-22 2019-06-25 Amazon Technologies, Inc. Distributing variable entropy ephemeral security credentials across channels of variable assurance
CN107689944A (en) * 2016-08-05 2018-02-13 阿里巴巴集团控股有限公司 Identity identifying method, device and system
CN106791060A (en) * 2016-12-12 2017-05-31 努比亚技术有限公司 Mobile terminal and its method of password authentication
EP3382937B1 (en) 2017-03-28 2022-05-18 Rohde & Schwarz GmbH & Co. KG Transmission device, system as well as method for transmitting monitoring information
US10536450B2 (en) 2017-04-18 2020-01-14 Microsoft Technology Licensing, Llc. Personal identifier sign-in for organizational users
US10721222B2 (en) * 2017-08-17 2020-07-21 Citrix Systems, Inc. Extending single-sign-on to relying parties of federated logon providers
EP3502998A1 (en) * 2017-12-19 2019-06-26 Mastercard International Incorporated Access security system and method
US11676126B1 (en) 2017-12-28 2023-06-13 Wells Fargo Bank, N.A. Account open interfaces
US11106515B1 (en) 2017-12-28 2021-08-31 Wells Fargo Bank, N.A. Systems and methods for multi-platform product integration
US11995619B1 (en) 2017-12-28 2024-05-28 Wells Fargo Bank, N.A. Account open interfaces
US10771503B2 (en) * 2018-01-05 2020-09-08 Sap Se Dissuading stolen password reuse
US10218695B1 (en) 2018-03-27 2019-02-26 Capital One Services, Llc Systems and methods for providing credentialless login using a random one-time passcode
CN110659886A (en) * 2018-06-28 2020-01-07 北京大码技术有限公司 Digital currency payment system, payment method and payment device
US11379850B1 (en) 2018-12-10 2022-07-05 Wells Fargo Bank, N.A. Third-party payment interfaces
US11044246B1 (en) 2019-06-21 2021-06-22 Wells Fargo Bank, N.A. Secure communications via third-party systems through frames
US20220114856A1 (en) * 2020-10-09 2022-04-14 Juice Integration, Inc. System and method for monitoring performance of sports betting activity
US11165586B1 (en) * 2020-10-30 2021-11-02 Capital One Services, Llc Call center web-based authentication using a contactless card
US20220141658A1 (en) * 2020-11-05 2022-05-05 Visa International Service Association One-time wireless authentication of an internet-of-things device
US11792200B2 (en) * 2021-03-10 2023-10-17 The Toronto-Dominion Bank Method and system for remotely verifying identity prior to provisioning a data record for a service

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20090254479A1 (en) * 2008-04-02 2009-10-08 Pharris Dennis J Transaction server configured to authorize payment transactions using mobile telephone devices
US20120041879A1 (en) * 2010-08-10 2012-02-16 Paul Kim Methods and systems for payment processing between consumers and merchants
US20130014236A1 (en) * 2011-07-05 2013-01-10 International Business Machines Corporation Method for managing identities across multiple sites
US8490168B1 (en) * 2005-10-12 2013-07-16 At&T Intellectual Property I, L.P. Method for authenticating a user within a multiple website environment to provide secure access

Family Cites Families (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6944669B1 (en) * 1999-10-22 2005-09-13 America Online, Inc. Sharing the personal information of a network user with the resources accessed by that network user
CN109118241A (en) 2010-01-19 2019-01-01 维萨国际服务协会 remote variable authentication processing
US20110185406A1 (en) * 2010-01-26 2011-07-28 Boku, Inc. Systems and Methods to Authenticate Users
US8527417B2 (en) * 2010-07-12 2013-09-03 Mastercard International Incorporated Methods and systems for authenticating an identity of a payer in a financial transaction

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8490168B1 (en) * 2005-10-12 2013-07-16 At&T Intellectual Property I, L.P. Method for authenticating a user within a multiple website environment to provide secure access
US20090254479A1 (en) * 2008-04-02 2009-10-08 Pharris Dennis J Transaction server configured to authorize payment transactions using mobile telephone devices
US20120041879A1 (en) * 2010-08-10 2012-02-16 Paul Kim Methods and systems for payment processing between consumers and merchants
US20130014236A1 (en) * 2011-07-05 2013-01-10 International Business Machines Corporation Method for managing identities across multiple sites

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20190386984A1 (en) * 2018-06-14 2019-12-19 Paypal, Inc. Two-factor authentication through ultrasonic audio transmissions
CN108933789A (en) * 2018-07-05 2018-12-04 赵朝胜 A kind of method and third-party application server preventing personal information leakage

Also Published As

Publication number Publication date
US20130276078A1 (en) 2013-10-17
US9378356B2 (en) 2016-06-28

Similar Documents

Publication Publication Date Title
US9378356B2 (en) Two factor authentication using a one-time password
US11956243B2 (en) Unified identity verification
US11818272B2 (en) Methods and systems for device authentication
US9491155B1 (en) Account generation based on external credentials
US8689310B2 (en) Applications login using a mechanism relating sub-tokens to the quality of a master token
US10325088B2 (en) Method and system for information authentication
US8707048B2 (en) Dynamic pattern insertion layer
US10460313B1 (en) Systems and methods of integrated identity verification
US20150371221A1 (en) Two factor authentication for invoicing payments
US11050749B2 (en) Credential storage manager for protecting credential security during delegated account use
US20140297538A1 (en) System and Method for Data and Identity Verification and Authentication
US20130262303A1 (en) Secure transactions with a mobile device
US20170345003A1 (en) Enhancing electronic information security by conducting risk profile analysis to confirm user identity
US11100504B2 (en) Systems and methods facilitating account access delegation
US20210312576A1 (en) System for authenticating patron computing device and allowing ordering food therefrom at restaurant
US11489828B2 (en) Tenant aware mutual TLS authentication

Legal Events

Date Code Title Description
AS Assignment

Owner name: PAYPAL, INC., CALIFORNIA

Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNOR:EBAY INC.;REEL/FRAME:039145/0831

Effective date: 20150717

Owner name: EBAY INC., CALIFORNIA

Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNOR:ROCKWELL, PAUL;REEL/FRAME:039145/0769

Effective date: 20120413

STPP Information on status: patent application and granting procedure in general

Free format text: ADVISORY ACTION MAILED

STPP Information on status: patent application and granting procedure in general

Free format text: DOCKETED NEW CASE - READY FOR EXAMINATION

STPP Information on status: patent application and granting procedure in general

Free format text: NON FINAL ACTION MAILED

STPP Information on status: patent application and granting procedure in general

Free format text: RESPONSE TO NON-FINAL OFFICE ACTION ENTERED AND FORWARDED TO EXAMINER

STPP Information on status: patent application and granting procedure in general

Free format text: FINAL REJECTION MAILED

STPP Information on status: patent application and granting procedure in general

Free format text: ADVISORY ACTION MAILED

STCB Information on status: application discontinuation

Free format text: ABANDONED -- FAILURE TO RESPOND TO AN OFFICE ACTION